What About SQL Injection?

Apr 12, 2010 at 12:30 AM

Are there any features to protect against SQL Injection?

Apr 12, 2010 at 8:31 PM

Sorry, I had no Time at all to publish and translate my documentation in English.

You can use the Syntax [@x] instead of @x and the objectnames will get quoted correctly.

Don't worry, if your Names are quoted already. DSQLT won't quote twice.

The same Logic is implemented for strings:  Use '@x'.

If you want to use a multi-part name, use [@x.@x] instead of  [@x]. DSQLT will split the name into server.database.schema.object, quote the single parts and combine them again to [server].[database].[schema].[object]

You will find the Implementation in DSQLT._replaceParameter.

It's sure not enough for a full protection against SQL Injection, but it helps you to do your work.